Unauthorized access to infrastructure can lead to severe consequences, such as data breaches and exploitation of security vulnerabilities, highlighting the importance of protecting infrastructure secrets like passwords and access tokens. Pulumi addresses these risks by providing a secure-by-default platform with built-in secret storage that safeguards all secret data using encryption, whether users opt for the hosted Pulumi Service, the Self-Hosted Pulumi Service, or a self-managed backend. This platform automatically encrypts state metadata, including both non-secret and secret information, ensuring that secret values are never exposed in plaintext. Pulumi's providers, such as azure-native and Terraform-based providers like Datadog, automatically identify and protect secret outputs, while users can also mark specific outputs and configuration values as secret. Though Pulumi’s built-in secret storage is sufficient for smaller organizations, it integrates with centralized secret management systems like AWS Key Management System, Azure Key Vault, Google Cloud Key Management, or Hashicorp Vault for larger entities. Pulumi simplifies the process of secrets management, automatically protecting secrets during the setup and operation of its services.